FFIEC: New Guidance, New Security

The Federal Financial Institutions Examination Council addressed some of those issues back in 2005, when it issued guidance about how banks should authenticate online banking users and transactions. But given the uptick in Automated Clearing House and wire-related fraud our industry has seen over the last two years, the FFIEC has been examining ways to enhance online authentication, and reinforce best practices many banking institutions have overlooked in recent years.

The judge found that Comerica's basic authentication practices, which relied on log-ins and passwords, did not truly comply with the FFIEC's call for layered security and multifactor authentication.

Eighteen months after Michigan-based Experi-Metal Inc. sued its former commercial bank accountholder, Comerica Bank, a U.S. District Court in Michigan has favored the commercial customer. Now Comerica Bank must reimburse EMI more than $560,000 for the funds it lost after the bank approved fraudulent wire transfers that totaled more than $1.9 million.

In the ruling, the judge cites guidelines for online security outlined in the FFIEC's 2005 online authentication guidance, finding that Comerica's basic authentication practices, which relied on log-ins and passwords, did not truly comply with the FFIEC's call for layered security and multifactor authentication.

The case should serve as a wake-up for banks, especially those that have been lax in their implementation of multifactor practices.

The site aims to serve as a one-stop shop, providing in-depth information from industry experts and practitioners about pending online authentication guidance. We've also included other resources, such as a library of authentication updates from banking regulators and industry associations; our own fraud research; and archival content on subtopics, like device identification and risk assessment.

We think the FFIEC Authentication Guidance site will provide valuable information for U.S.-based institutions as well as international banks that operate in the U.S., as the compliance requirements outlined by the regulators will be applicable to all.

"The banking industry has never seen a greater need for new guidance on authentication, layered security and customer awareness," said Tom Field, editorial director of ISMG, earlier this week. "Already, we are seeing financial institutions amend their budgets and strategies to comply with the FFIEC's new recommendations. It's important, then, for all players in the industry - practitioners, vendors, analysts and even customers - to understand the full ramifications of this important new direction in online authentication."

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.